The Path to HITRUST Certification: Five Reasons to Start Now


The Path to HITRUST Certification: Five Reasons to Start Now

Apr 30, 2019

The HITRUST Common Security Framework (CSF) Assurance Program has become the standard for streamlining the third-party assurance process. This stems from HITRUST’s mission to address inefficiencies and inconsistencies in third-party assurance, an objective and journey that first began in 2007. Now, across the country, health care organizations rely on the HITRUST CSF Assurance Program to help with third-party risk management.

HITRUST certification attempts to remedy the challenges both health care organizations and business associates face in monitoring and assuring security requirements. The goal in introducing a standardized compliance process that’s confirmed by a qualified and approved CSF Assessor is to unify and simplify the assurances both sides need and can support. 

Here are five big reasons now is the best time to start moving toward the new CSF program.

1. This Is Going to Take a While

HITRUST CSF certification generally takes 9-12 months to achieve from the initial gap assessment until the submission of the validated assessment for certification. This can vary between organizations depending on the initial state of their security program (i.e., how many gaps are identified in the gap assessment) and resources available to prepare for certification.

2. The Framework Has Already Been Provided

As a business associate or vendor, you’ll be reassured to know that a comprehensive framework for your journey has been developed. The HITRUST CSF is a framework that was prudently developed in collaboration with health care and information security professionals. Because the steps have been rigorously outlined, you won’t have to guess your way through it or defer action because of uncertainty.

3. You Decide How Deep and Wide to Go

Yes, the HITRUST CSF is comprehensive, but it’s also flexible. It provides options for third-party assurance and the types of reporting, and it lets you weigh the overall scope. Making those right decisions, however, requires attentiveness and time for careful consideration.

4. You Don’t Have to Go It Alone

Choosing a CSF Assessor at the outset is a valuable way to help your organization identify the proper scope and address gaps. The right CSF Assessor can help you determinethe best path for meeting your client relationship needs while fitting your circumstances in the most cost-effective way possible.

5. For Maximum Leverage

Becoming certified is an industry differentiator and can be a point of entry to new health care customers. It demonstrates your commitment to security and reduces the time and volume of customer security questionnaire requests you receive. The sooner you’re committed to the process, the greater the opportunities for continued success.

Getting Started

As an Authorized HITRUST CSF Assessor, Wipfli is uniquely qualified to help align and assess your compliance with all the different regulations your organization must meet. We apply the most current, widely recognized and industry-adopted standards to your security framework. Whether or not your organization actually adopts CSF, you can be confident you’re getting an assessment based on one of the industry’s most widely accepted approaches to regulatory compliance and risk management. The result is a focused engagement with relevant documentation that appropriately fits your organization.

To learn more or get started, contact us.


Paul Johnson
Paul J. Johnson, CISSP, CCSFP, CPA
View Profile